CN106155880B - A kind of automated procedures analysis system and method based on strategy - Google Patents
A kind of automated procedures analysis system and method based on strategy Download PDFInfo
- Publication number
- CN106155880B CN106155880B CN201510137798.9A CN201510137798A CN106155880B CN 106155880 B CN106155880 B CN 106155880B CN 201510137798 A CN201510137798 A CN 201510137798A CN 106155880 B CN106155880 B CN 106155880B
- Authority
- CN
- China
- Prior art keywords
- analysis
- module
- strategy
- software
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The present invention relates to a kind of automated procedures analysis systems and method based on strategy.The system includes data source, analytical unit and management and running program;The data source is the set of software to be analyzed;The analytical unit is the software analysis module of encapsulation, for communicating with scheduler program, completes designated software some way or the analysis of the program safety in a certain stage;The management and running program is used for Allocation Analysis strategy, and passes through the analysis strategy of parsing configuration and monitor the state of several analytical units, realizes the scheduling and management of analysis task, forms the effective of each analytical unit and is connected and combines.The present invention is connected a variety of analysis modules or multiple analysis phases by the tactful and global task schedule of pre-configuration automatically, realizes comprehensive, efficient, automation the analytic process of program.
Description
Technical field
The present invention relates to technical field of system security more particularly to it is a kind of based on strategy automated procedures analysis system and
Method.
Background technique
As computer, the fast development of intelligent terminal and internet, mobile Internet are increasingly popularized, software is
Become indispensable pith in people's daily life and work.However, also occurring at the same time more and more
Software users and entire society are brought various direct or indirect threats and harm by Malware and fragile software.
Malware, especially mobile phone Malware, property and privacy information to users constitute safely harm.Such as
The malice of mobile phone Malware is deducted fees behavior, occupies quite high specific gravity in various dangerous acts, in 315 party of CCTV
" black economy chain " that mountain vallage mobile phone bundled software malice is deducted fees has been exposed, has brought great property infringement for mobile phone user.
In addition to behavior of maliciously deducting fees, Malware also have steal privacy information, malicious dissemination and destruction, malice force networking etc. its
His malicious act.
Fragile software refers to comprising leaky or defect software, is dredging when designing or write software by developer
Suddenly or caused by mistake.This kind of software has very high security threat, gently can then cause the collapse of software or system, it is heavy then can be by
Attacker utilizes, and pointedly destroys or control host or respective environment.
Since Malware and fragile software bring increasingly prominent safety problem, program analysis technique is also rapid therewith
There is the method for numerous program safety analysis and detection in development.Such as traditional software malicious act detection method, including base
In the matched static behavior analytical technology of condition code, the dynamic sandbox analytical technology of Behavior-based control feature, it is based on data-flow analysis
Dynamic stain tracking technique etc..Wherein every kind of method has certain technical advantage and limitation, and exclusive use can not be examined
All types of Malwares are measured, therefore generally require for a variety of analytical technologies to be used in combination.Such as it is soft in Android malice
In part detection field, static behavior analytical technology can cover tested software face comprehensively, obtain sensitive operation path, but due to nothing
Method obtains accurate context environmental, there is wrong report.Dynamic behaviour sandbox technology can accurately verify the triggering of behavior, but nothing
The effective active overlay path of method, it is desirable to provide the condition that tested path and path execute, software covering surface are small.It needs using dynamic
The mode of quiet combination carries out the detection of Malware.
In the program analysis system for combining a variety of safety analysis techniques, it is comprehensive to generally require unified scheduler program
Control distribution of the analysis task between multiple analysis modules.But traditional dispatching method is due to mainly considering versatility, mostly
Using mechanical distributed, task is distributed according to the simple information such as the task type of analysis module, mission requirements quantity, it can not
The knowledge of other modules is adequately utilized, purposive is scheduled.Scheduler program mainly considers the output quantity of up-stream module
It with the ownership of downstream module, distributes according to quantity, there is no modes strategically further to be divided the output of up-stream module
Analysis.Such as in Android malware detection field, the detection technique being association of activity and inertia is generallyd use, wherein dynamic analysis packet
Dynamic sandbox is contained and dynamic stain tracks two parts, stain tracking is mainly based upon data-flow analysis, and whether inspection software has
There is privacy compromise behavior.Dynamic sandbox is based primarily upon control stream, and whether inspection software there is malice other malicious acts such as to deduct fees.
Static analysis obtains sensitive behavior path, and dynamic analysis are verified according to Path-sensitive.A kind of scene is static analysis detection
Tested software has privacy compromise behavior out, only needs to be tested using dynamic stain tracking technique in subsequent dynamic analysis
Card, without the detection of dynamic sandbox.But it, can only be according to static analysis since scheduler program can not utilize the knowledge of static analysis
Output continue to give dynamic sandbox distribution task, to waste valuable computing resource.Another scene is due to Android
The limitation of simulator, some softwares can not operate normally in simulator under given conditions, the dynamic based on simulator
Analysis can have the case where malicious act is failed to report, and need prototype dynamic analysis module separately to detect, but since scheduler program can not
This information is obtained, can not be scheduled to prototype dynamic analysis module.So needing a kind of dispatching method based on strategy, needle
To up-stream module output as a result, according to the policy information of configuration, using the knowledge of up-stream module, purposive scheduler task,
To improve the efficiency of program behavior analysis.
Summary of the invention
The object of the present invention is to provide a kind of system based on configuration strategy automatic dispatching multiple programs analysis module and
Method is connected a variety of analysis modules or multiple analysis phases automatically, realizes program by being pre-configured strategy and global task schedule
Comprehensively, efficiently, automation analytic process.
Technical solution provided by the invention is as follows:
A kind of automated procedures analysis system based on strategy, as shown in Figure 1, including three component parts: data source is divided
Analyse unit, management and running program.Data source is the set of software to be analyzed, supports the retrieval and acquisition of certain mode;Analysis is single
Member is the software analysis module of encapsulation, can be communicated with scheduler program, and point in designated software some way or a certain stage is completed
Analysis;On the one hand management and running program supports user according to analytical unit feature and analytic process Allocation Analysis strategy, on the one hand logical
Cross parsing configuration strategy and monitor multiple analytical unit states, realize analysis task scheduling and management (including distribution, monitoring,
The functions such as recycling, audit), it ultimately forms the effective of multiple analytical units and is connected and combines.
It is single to dispatch a variety of analyses based on strategy for a kind of automated procedures analysis method based on strategy using above system
Member realizes the safety detection process of software to be analyzed in data source, the specific steps are as follows:
1) user is pre-configured analysis strategy.User need to predefined analytic process includes in configuration analytical unit type and
Linking strategy between quantity and different types of analytical unit.
2) management and running program parses user configuration, initializes each analytical unit and scheduler program according to configuration.
3) software under testing in data source is distributed to the analysis list of specified type according to configuration strategy by management and running program
Member.
4) each analytical unit obtains the software under testing of scheduler program distribution, carries out some way or the safety of some step
Analysis.After the completion of analysis, record analysis state with as a result, and notifying management and running program.
5) management and running program according to configuration strategy, analytical unit analysis state with as a result, the software is distributed to next
Stage certain type of analytical unit.
6) step 4)~5 are repeated), until software under testing completes some the complete analysis process specified in strategy.
Further, above-mentioned steps 1) in configure analysis strategy be any one universal description language format, such as XML language
Speech, customized document language etc..
Further, above-mentioned steps 1) in configure analysis strategy can according to certain type analysis unit analysis result or
Analysis state is as circulation condition.
Further, above-mentioned steps 3), 4), 5) in, the communication of management and running Procedures And Analysis unit is any one communication
Mode, such as Inter-Process Communication, database communication.
Further, above-mentioned analytical unit includes but is not limited to: dynamic UI detecting module, static analysis module, dynamic stain
Tracking module, dynamic behaviour sandbox module, vulnerability detection module, vulnerability exploit scan module, prototype detection module, manual analysis
Module.
Compared with prior art, various analysis or multiple analytical procedure effective integrations can be unified by the present invention
Analytic process, using the policy information of configuration, output result and analysis state, purposive scheduling for up-stream module are appointed
Business, to improve precision of analysis.Meanwhile by management and running program, it can also facilitate to realize multiple groups analysis single
The parallel processing of member improves analysis efficiency.
Detailed description of the invention
Fig. 1 is the structure chart of the automated procedures analysis system of the invention based on strategy;
Fig. 2 is the structure chart of the automated procedures analysis system based on strategy of the embodiment of the present invention.
Specific embodiment
To a kind of Android malware automated detection method based on tactful scheduler task and it is referring to the drawings
System is described in detail, but the present invention is not limited to following embodiment.
The overall architecture of the present embodiment is as shown in Fig. 2, the system mainly includes 3 parts: data source, 4 kinds from structure
Android applied analysis unit, management and running program, wherein management and running program includes scheduler program, configurator etc..Wherein
Data source is that Android software crawls module, exports incoming task of the Android software as Android applied analysis unit;
Android applied analysis unit include following 4 kinds: dynamic UI detecting module, static analysis module, dynamic stain tracking module,
Prototype detection module, every kind of module can parallel 0 to several when operation.
In the present embodiment, using XML file as policy configuration file, using MySQL database table as management and running program
With the communication interface of analytical unit.User respectively can name above 4 kinds of analytical units in configuration file, and every kind of analysis is single
Member exports the analysis of specified format as a result, being such as MySQL database table using Android software as task to be measured, and
Include fixed field.
It is two kinds of common analytical scenes below:
The first analysis scene be: static analysis module detect tested software have potentially malicious behavior, it is subsequent by
Dynamic stain tracking module is verified, without carrying out the detection and analysis of prototype module;Static analysis module detect by
Surveying software does not have any potentially malicious behavior, then terminates the detection process of the software.
Second of analysis scene is: dynamic UI detecting module or static analysis module detect that certain tested software can not be
Operated normally in Android simulator, subsequent needs are tested and analyzed by prototype dynamic analysis module, without enter stain with
Track module.
Scene is analyzed for both the above, user profile example is as follows:
<xml>
<PL name=" android_analysis " desc=" Android software safety detection ">
<source name=" app_market " max=100000>
<unit name="ACFG"desc="dynamicUIdetection module"count=10seq=1/>
<unit name="SA"desc="static analysis module"count=8seq=2/>
<unit name="TC"desc="stain tracking module"count=20/>
<unit name="RP"desc="real machine detection module"count=5/>
<policy priority=10content="if Result ( SA ) =0then finish"/>
<policy priority=10content="if Result ( SA ) =1then run ( TC ) "/>
< policy priority=20content=" if Status (ACFG)=0or Status (SA)=
0thenrun(RP)”/>
</PL>
</xml>
Wherein, each attribute of PL node be this detection workflow general configuration information, source node it is each
Attribute is the configuration information of data source, and each attribute of unit node is the configuration information of each analysis unit, policy node
Each attribute be detect configuration strategy configuration information.4 unit nodes respectively correspond the analytical unit of 4 seed types, user
It can be with the amount of parallelism of defined analysis unit, default operation order;3 operation reserves are respectively defined for designated analysis unit
Particular analysis result or state, it should the subsequent processing of progress.
According to seq attribute description in unit node, default executes sequence are as follows: first carrying out ACFG unit, (dynamic UI detects mould
Block, seq=1), execute SA unit (static analysis module, seq=2) again.
The first analysis scene is as described by preceding two policy node contents, it may be assumed that SA unit operation result is 0 (without latent
In malicious act), then terminate analytic process;SA unit operation result is 1 (having potential malicious act), then it is (dirty to execute tc unit
Point tracking module).
Second of analysis scene is as described by the 3rd article of policy node content, it may be assumed that ACFG unit or SA unit analyze state
For 0 (simulator can not execute), then enter RP unit (prototype detection module).
The priority attribute of policy node defines the priority of strategy.There is a plurality of plan simultaneously in the analysis process
When slightly meeting configuration strategy, the policy content that preferentially executes.As in this configuration file, if certain analysis result of SA unit be 0,
Analysis state is 0, i.e., meets the 1st, 3 two article of configuration strategy simultaneously, then the 3rd article of high strategy of preferential execution priority
(priority=20).
Management and running program parses the above XML configuration file, by data source, analytical unit, policy-related (noun) configuration information
It reads in, and creates according to this, initializes each analytical unit.In the present embodiment using MySQL database table as scheduler program with point
The communication interface of unit, therefore the result of analytical unit and status information, the distribution information of task etc. are analysed, certain number is recorded in
According in the table of library.Each analytical unit obtains task by writing specified database table, timing heartbeat, updates result and status information
Deng;Management and running program is also by read-write associated databases table, and to obtain the task run situation of each analytical unit, processing is each
The subsequent distribution process of a task.
For the technical effect for verifying the method for the present invention, this experiment contains the sample set of 50,000 software under testing for 3 groups, right
Than not using point of the automated procedures analysis system (that is: software to be analyzed flows serially through all analysis modules) of strategy
Success rate is analysed, data are as shown in the table.By contrast, the automated procedures analysis system based on strategy, which can effectively improve, to be parsed into
Power.
Although disclosing specific embodiments of the present invention and attached drawing for the purpose of illustration, its object is to help to understand the present invention
Content and implement accordingly, but it will be appreciated by those skilled in the art that: do not departing from the present invention and the attached claims
Spirit and scope in, various substitutions, changes and modifications are all possible.The present invention should not be limited to this specification and most preferably implement
Example and attached drawing disclosure of that, the scope of protection of present invention is subject to the scope defined in the claims.
Claims (10)
1. a kind of automated procedures analysis system based on strategy, which is characterized in that including data source, analytical unit and scheduling pipe
Manage program;The data source is the set of software to be analyzed;The analytical unit is the software analysis module of encapsulation, is used for and institute
The communication of management and running program is stated, designated software some way or the analysis of the program safety in a certain stage are completed;The management and running
Program is used for Allocation Analysis strategy, and the analysis strategy by parsing configuration and the state for monitoring several analytical units, realizes and divides
The scheduling and management of analysis task form the effective of each analytical unit and are connected and combine;
The scheduling and management for realizing analysis task forms the effective of each analytical unit and is connected and combines, comprising:
1) analysis strategy of management and running program parsing user configuration initializes each analytical unit and the scheduling according to configuration
Management program;
2) software under testing in data source is distributed to specified type according to the analysis strategy of user configuration by management and running program
Analytical unit;
3) each analytical unit obtains the software under testing of management and running program distribution, carries out some way or the program of some step
Safety analysis, after the completion of analysis, the state of record analysis with as a result, and notifying management and running program;
4) state and as a result, the software is divided that management and running program is analyzed according to analysis strategy, the analytical unit of user configuration
Issue next stage certain type of analytical unit;
5) step 3)~4 are repeated), until software under testing completes some the complete analysis process specified in strategy.
2. the system as claimed in claim 1, which is characterized in that the analytical unit includes one of the following or a variety of: dynamic
State UI detecting module, static analysis module, dynamic stain tracking module, dynamic behaviour sandbox module, vulnerability detection module, loophole
Utilize scan module, prototype detection module, manual analysis module.
3. the system as claimed in claim 1, it is characterised in that: the communication side of the management and running program and the analytical unit
Formula is Inter-Process Communication or database communication.
4. the system as claimed in claim 1, it is characterised in that: the scheduling and management of the analysis task, including analysis task
Distribution, monitoring, recycling and audit.
5. a kind of automated procedures analysis method based on strategy using system described in claim 1, which is characterized in that be based on
Strategy dispatches a variety of analytical units, realizes the safety detection process of software to be analyzed in data source, its step are as follows:
(1) user is pre-configured analysis strategy, including the analytical unit type and quantity that analytic process predefined in configuration includes,
And the linking strategy between different types of analytical unit;
(2) according to the step 1) in claim 1~5) realize analysis task scheduling and management, form having for each analytical unit
It effect linking and combines, to realize the safety detection process of software to be analyzed in data source.
6. method as claimed in claim 5, it is characterised in that: the analysis strategy configured in step 1) is general using any one
Description language format, including XML language, customized document language.
7. method as claimed in claim 5, it is characterised in that: the analysis strategy configured in step 1) is according to certain type analysis
The analysis result or analysis state of unit are as circulation condition.
8. method as claimed in claim 5, it is characterised in that: the communication side of the management and running program and the analytical unit
Formula is Inter-Process Communication or database communication.
9. method as claimed in claim 5, which is characterized in that the analytical unit includes one of the following or a variety of: dynamic
State UI detecting module, static analysis module, dynamic stain tracking module, dynamic behaviour sandbox module, vulnerability detection module, loophole
Utilize scan module, prototype detection module, manual analysis module.
10. method as claimed in claim 9, which is characterized in that carry out the safety detection of software using following analysis scene:
A) static analysis module detect tested software have potentially malicious behavior, it is subsequent by dynamic stain tracking module come into
Row verifying, without carrying out the detection and analysis of prototype module;It is any potential that static analysis module detects that tested software does not have
Malicious act then terminates the detection process of the software;
B) dynamic UI detecting module or static analysis module detect that certain tested software can not normally be transported in Android simulator
Row, subsequent needs are tested and analyzed by prototype dynamic analysis module, without entering stain tracking module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510137798.9A CN106155880B (en) | 2015-03-27 | 2015-03-27 | A kind of automated procedures analysis system and method based on strategy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510137798.9A CN106155880B (en) | 2015-03-27 | 2015-03-27 | A kind of automated procedures analysis system and method based on strategy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106155880A CN106155880A (en) | 2016-11-23 |
| CN106155880B true CN106155880B (en) | 2019-07-30 |
Family
ID=57340262
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510137798.9A Active CN106155880B (en) | 2015-03-27 | 2015-03-27 | A kind of automated procedures analysis system and method based on strategy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106155880B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106557701B (en) * | 2016-11-28 | 2019-09-06 | 北京奇虎科技有限公司 | Kernel leak detection method and device based on virtual machine |
| CN107330332A (en) * | 2017-05-23 | 2017-11-07 | 成都联宇云安科技有限公司 | A kind of leak detection method for Android mobile phone APP |
| CN108197466A (en) * | 2017-12-25 | 2018-06-22 | 哈尔滨安天科技股份有限公司 | Based on decision plan preposition Anti- Virus Engine detection method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101017458A (en) * | 2007-03-02 | 2007-08-15 | 北京邮电大学 | Software safety code analyzer based on static analysis of source code and testing method therefor |
| JP2009146207A (en) * | 2007-12-14 | 2009-07-02 | Mitsubishi Electric Corp | Source code analysis support device |
-
2015
- 2015-03-27 CN CN201510137798.9A patent/CN106155880B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101017458A (en) * | 2007-03-02 | 2007-08-15 | 北京邮电大学 | Software safety code analyzer based on static analysis of source code and testing method therefor |
| JP2009146207A (en) * | 2007-12-14 | 2009-07-02 | Mitsubishi Electric Corp | Source code analysis support device |
Non-Patent Citations (1)
| Title |
|---|
| 一个面向Android的隐私泄露检测系统;杨广亮等;《计算机工程》;20121205;第38卷(第23期);第1-6页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106155880A (en) | 2016-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8850581B2 (en) | Identification of malware detection signature candidate code | |
| Alrabaee et al. | Sigma: A semantic integrated graph matching approach for identifying reused functions in binary code | |
| CN102253885B (en) | User interface analysis management | |
| CN109145603A (en) | A kind of Android privacy leakage behavioral value methods and techniques based on information flow | |
| CN105022958B (en) | Vulnerability of application program determination method based on code library secure protocol in a kind of Android application | |
| CN101853200B (en) | High-efficiency dynamic software vulnerability exploiting method | |
| EP3161641B1 (en) | Methods and apparatuses for automated testing of streaming applications using mapreduce-like middleware | |
| KR101290565B1 (en) | Dynamic analysis emulator for action information of android application, Dynamic analysis system for action information having the same, and for action information of android application, and Computer-readable recording medium storing dynamic analysis program for action information of android application | |
| CN102722672B (en) | A kind of method and device detecting running environment authenticity | |
| CN103927473A (en) | Method, device and system for detecting source code safety of mobile intelligent terminal | |
| CN109635568B (en) | Concurrent vulnerability detection method based on combination of static analysis and fuzzy test | |
| CN106529304B (en) | A kind of Android applies concurrent leakage location | |
| CN106155880B (en) | A kind of automated procedures analysis system and method based on strategy | |
| US20240036841A1 (en) | Method and Apparatus for Compatibility Detection, Device and Non-transitory computer-readable storage medium | |
| US10129275B2 (en) | Information processing system and information processing method | |
| Soh et al. | LibSift: Automated detection of third-party libraries in android applications | |
| CN106845235B (en) | A kind of Android platform call back function detection method based on machine learning method | |
| Zuo | Defense of Computer Network Viruses Based on Data Mining Technology. | |
| Accorsi et al. | SWAT: a security workflow analysis toolkit for reliably secure process-aware information systems | |
| CN111309589A (en) | Code security scanning system and method based on code dynamic analysis | |
| CN105117332A (en) | Stack overflow position detection method | |
| CN112632547A (en) | Data processing method and related device | |
| Waly et al. | A complete framework for kernel trace analysis | |
| CN111459774B (en) | Method, device, equipment and storage medium for acquiring flow of application program | |
| US11057416B2 (en) | Analyze code that uses web framework using local parameter model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |